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(57) Abstract: Using checkpoints to secure objects and resources in a conditional access system. Authentication and/or authoriza- 
tion checks are performed at a number of checkpoints to assure security of the object and resource. Checkpoints trigger these checks 
when the purpose of the object or resource becomes manifest as well as other times during handling of the object or resource. 



WO 01/28232 



PCT/USOO/27632 



OBJECT AND RESOURCE SECURITY SYSTEM 

This application claims the benefit of U.S. Provisional Application No. 
60/158,491 filed on October 8, 1999, U.S. Provisional Application No. 60/165,094 filed 
on November 12, 1999 and U.S. Provisional Application No. 60/174,037 filed on 
5 December 30, 1999. 

BACKGROUND OF THE INVENTION 
This invention relates in general to secure access systems and, more 
specifically, to securing information. 
10 ■ Cable television (TV) providers distribute video streams to subscribers by 

way of conditional access (CA) systems. CA systems distribute video streams from a 
headend of the cable TV provider to a set top box associated with a subscriber. The 
headend includes hardware that receives the video streams and distributes them to the set 
top boxes within the CA system. Select set top boxes are allowed to decode certain video 
1 5 streams according to entitlement information sent by the cable TV provider to the set top 
box. In a similar way, other video program providers use satellite dishes to wirelessly 
distribute video content to set top boxes. 

Video programs are broadcast to all set top boxes, but only a subset of 
those boxes are given access to specific video programs. For example, only those that 
20 have ordered a pay per view boxing match are allowed to view it even though every set 
top box may receive encrypted data stream for the match. Once a user orders the pay per 
view program, an entitlement message is broadcast in encrypted form to all set top boxes. 
Only the particular set top box the entitlement message is intended for can decrypt it. 
Inside the decrypted entitlement message is a key that will decrypt the pay per view 
25 program. With that key, the set top box decrypts the pay per view program as it is 
received in real-time. Some systems sign entitlement messages. 

Only recently has storage of multiple hours of video become practical. 
Each video program is transmitted to set top boxes as a compressed MPEG2 data stream. 
One hour of video corresponds to about one gigabyte of compressed data. Since 
30 multigigabyte storage is common today, multiple hours of video can now be stored. In 
contrast, conventional CA systems presume content is ephemeral and cannot be stored. 
In other words, conventional systems are designed presuming that the video programs 
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In still another embodiment, a method for authenticating and authorizing 
content supplied to a conditional access set top box is disclosed. Content is received in 
the conditional access set top box. The content is authenticated a first time within the 
conditional access set top box; When the content is accessed within the set top box, the 
content is authenticated a second time. 

The invention will be better understood by reference to the following 
detailed description in connection with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Fig. 1 is a block diagram showing one embodiment of a content delivery 

system; 

Fig. 2 is a block diagram illustrating an embodiment of a set top box 
interfaced to its environment; 

Fig. 3 is a flow diagram showing an embodiment of a process for 
distributing an object in a first security level; 

Fig. 4 is a flow diagram showing an embodiment of a process for 
distributing an object in a second security level; 

Fig. 5 is a block diagram depicting an embodiment of an authorization 

message; 

Fig. 6 is a block diagram showing an embodiment of an object message; 
Fig. 7 is a block diagram illustrating an embodiment of a signatory group 
that includes portions of the authorization message and the object message; 

Fig. 8 is a flow diagram depicting an embodiment of a process for loading 

an object in a third security level; 

Fig. 9 is a flow diagram showing an embodiment of a process for loading 

an object in a fourth security level; 

Fig. 1 0 is a flow diagram depicting another embodiment of a process for 
loading an object in the fourth security level; 

Fig. 1 1 is a flow diagram showing an embodiment of a process for 
checking continuously running objects in a fifth security level; 

Fig. 12 is a flow diagram illustrating an embodiment of a process for 
allowing a free preview of an object in security level six; 

Fig. 13 is a flow diagram showing an embodiment of a process for 
monitoring security checks in security level seven; 
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unique PID information. There are around one hundred and twenty analog carrier 
channels in this embodiment of the system TOO. Other embodiments could distribute the 
content with satellite dishes, microwave antennas, RP transmitters, packet switched 
networks, cellular data modems, carrier current, phone lines, or the Internet. 
5 Referring next to Fig. 2, a block diagram of an embodiment of a display 

system 200 is shown. This embodiment provides multiple levels of object and resource 
security through a variety of security levels. Included in the display system 200 are a set 
top box 108, network 208, printer 212, TV display 216, and wireless input device 218. 
These items cooperate in such a way that the user can enjoy content provided from a 
10 content provider. The content can be video, audio, software, firmware, interactive TV, ^ 
data, or other information. In this embodiment, the content. provider is a cable TV 
provider. , . 

The network 208 serves as the conduit for information traveling between 
the set top box 108 and the headend 104 of the cable TV provider. In this embodiment, 
15 the network has one hundred and twenty analog channels and a bi-directional control data 
channel. Generally, the analog channels carry content and the control data channel 
carries control and entitlement information. Each analog carrier channel has a number of 
digital channels multiplexed into one data stream where the digital channels are 
distinguished by packet identifiers (PEDs). The bi-directional control channel is an out- 
20 of-band channel that broadcasts data to the set top boxes 10.8 at one frequency and 

receives data from the boxes 108 at another frequency. Return data may be queued to 
decrease overloading during peak use periods using a store and forward methodology 
well known in the art. Other embodiments could use a cable modem or digital subscriber 
line (DSL) for both control information and content where the content is formatted as 
25 packet switched data. 

The printer 212 is an optional accessory some users may purchase and add 
to their display system 200. When using the set top box 108 for personal computer tasks, 
the printer 212 allows printing data such as email, web pages, billing information, etc. As 
will be explained further below, the ability to use a peripheral like a printer is regulated 
30 by an authorization check. Using the regulation feature, printers 212 compatible with the 
set top box 108 do not work unless proper authorization is obtained. 

The TV display 216 presents the user with audio and/or video 
corresponding to the content. The display 216 typically receives an analog video signal 
that is modulated on a carrier corresponding to channel three, channel four or a composite 
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This embodiment includes a printer port 232 for interfacing to an optional 
printer 212. The printer port 232 resource is not available to programs unless authorized. 
As explained further below, each object must have authorization to use a resource such as 
the printer port 232. Data is sent from the printer port 232 to the printer 212 in a serial or 
5 parallel fashion by way of a wired or wireless transport mechanism. 

Stated generally, a checkpoint is a point in time or a step of processing 
where the authentication and/or authorization status of an object is confirmed. A 
checkpoint is encountered when printing is requested. The checkpoint authorizes and 
authenticates the object requesting the printing. Checkpoints are places in one object 
1 0 where authentication and/or authorization are run on another obj ect (e.g., an operating 

system checks authentication and authorization of an application that is running). Ideally, 
checkpoints are performed when the purpose of the object becomes manifest. In the case 
of a printer port 232, its purpose becomes manifest when it is used to print something. 
Accordingly, a checkpoint is triggered to check the object using the printer port 232 
1 5 resource when anything is printed. Typically, the checkpoint for printing would be in the 
operating system. 

The network port 236 allows bi-directional communication between the set 
top box 108 and the headend 104. Included in the network port 236 are a tuner and a 
demodulator that tune to analog carrier channels and demodulate an MPEG data stream to 
20 allow one-way delivery of content. Also included in the network port 236 are a control- 
data transceiver or cable modem that allows for bi-directional communication of control 
data information and/or content. To distribute loading of the control data path to the 
headend 1 04 more evenly, a store and forward.methodology may be used. 

Modulation of the digital video signal onto an analog signal compatible 
25 with the TV display 2 1 6 is performed by the display interface 244. As discussed above, 
the TV display 216 generally accepts signals modulated on channel three, channel four or 
a composite channel. For displays that accept a digital input, such as LCD displays, the 
display interface 244 performs any formatting required by the digital input. 

The IR port 248 communicates bi-directionally with a wireless input 
30 device 21 8. Included in the IR port 248 is an TR transceiver that provides the wireless 
communication path with the input device 218. Other electronics in the IR port 248 
convert analog signals received by the transceiver to a corresponding digital signal and 
convert analog signals sent to the transceiver from a corresponding digital signal. The 
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316. The key is extracted from the entitlement message and used to decrypt the object 
before it is written to the memory 228 in steps 320, 324 and 328. This process provides 
both authentication and authorization of the object by using encryption. 

Referring next to Fig. 4, a flow diagram of an embodiment of a process for 

5 distributing an object in a second security level is shown. In the second level of security, 
signatures are used to authenticate an object upon download. In other words, the second 
level of security imposes a checkpoint on the object when downloaded. The signature is 
generated over a signatory group that includes portions of an authorization message and 
object message in the headend 104 in step 404. The authorization message is metadata 

10 related to the object message and the object message contains the object intended for the 
set top box 108. 

In step 408, the signature in the authorization message and the object are 
separately sent to the set top box 108 over the network 208. Preferably an asymmetric 
signature is used (e.g., RSA, DSA or ECC based), but a symmetric signature (e.g., DES 
15 or triple-DES) could also be used. Upon receipt of the signature and the object and 

before storing the object, the signature is calculated and checked by the ACP 240 in steps 
420 and 424. If the calculated and received signatures match, the object is stored in step 
428. Alternatively, the object is discarded in step 432 if there is no match, and processing 
loops back to step 412 to wait for another copy of the object. 
20 With reference to Figs. 5-7, an authorization message 500, an object 

message 600 and a signatory group 700 are respectively shown in block diagram form. 
Included in the authorization message 500 of Fig. 5 are an authorization header 504, an 
authorization data structure 508, a signature 512, and a first checksum 516. The 
authorization message 500 has information used to both authenticate and authorize the 
25 object message 600. Forming the object message of Fig. 6 are an object header 604, an 
object 608 and a second checksum 612. The object message 600 serves as the transport 
for the object 608. The signatory group 700 includes components of the authorization 
message 500 and object message 600 arranged end-to-end. The signature 512 is 
calculated over the whole signatory group 700. More specifically, the signatory group 
30 700 of Fig. 7 includes the authorization header 504, authorization data structure 508, 
object header 604, and object 608. 

The authorization header 504 indicates the configuration of the 
authorization message 500. Included in the header 504 are a subtype identifier and 
message version. The subtype identifier distinguishes the various types of authorization 

9 
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Once the signature is calculated, it is checked against the received signature to 
authenticate portions of both the authorization and object messages 500, 600. If the 
signatures do not match, the set top box 108 discards the object message 600 because it 
presumably came from an improper source. 

The first and second checksums 516, 612 are calculated with either linear 
or non- linear algorithms. These checksums 516, 612 verify the error integrity of the data 
as it is transported to the set top box 108 over the network 208. For example, the 
checksum could be a cyclic redundancy check (CRC). The message spooler 208 
calculates the checksum 5 16 as the message 500 is being sent and appends the checksum 
516 onto the end of the message 500. Conversely, the set top box 108 calculates the 
checksum as the message 500 is received and checks the calculated checksum against the 
checksum 516 in the received message 500. If the calculated and received checksums do 
not match, an error in transmission has occurred. Messages 500, 600 with errors are 
discarded whereafter the headend 104 may send replacement messages 500, 600. 

The object header 604 includes attributes for the object message 600. 
Included in the object header 604 are a header length, an object length, the object 
identifier, the software version, and a domain identifier. The header length and object 
length respectively indicate the lengths of the object header 604 and the object 608. As 
described above, the object identifier provides a unique code that allows attributing the 
authorization message 500 to the object message 600. The software version indicates the 
version of the object. Different cable TV providers are assigned domain identifiers such 
that all of the set top boxes 108, which might receive an object 608, can screen for objects 
608 associated with their domain. 

The object 608 includes content the system 100 is designed to deliver to 
set top boxes 108. Several types of information can be embedded in an object, such as 
executable programs, firmware upgrades, run-time programs (e.g., Java® or ActiveX®), 
programming schedules, billing information, video, audio, or data. The object 608 can be 
used immediately after authentication and authorization or at a later time. Additionally,^ 
authorization can be programmed to expire after a certain amount of time. 

Referring specifically to Fig. 7, the signatory group 700 is shown. This 
group 700 is comprised of parts of both the authorization message 500 and the object 
message 600. All the data used to calculate the signature 5 12 is included in the signatory 
group 700. Because the signature requires components from both the authorization 
message 500 and the object message 600, a failed signature check indicates one of the 

11 
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Referring next to Fig. 10, a flow diagram of another embodiment of a 
process for loading an object in the fourth security level is illustrated. In this 
embodiment, entitlements in the authorization message 500 are checked in order to 
confirm the object 608 is authorized before it is loaded. In step 1004, the authorization 
message 500 is read from the memory 228. Next, the controller 220 loads the 
authorization message 500 into the ACP 240 in step 1008. 

Once the ACP 240 has the authorization message 500, the entitlement 
information therein is checked in step 1012. A determination is made in step 1016 as to 
whether the object 608 is authorized by checking the entitlement information. If the 
object 608 is authorized, it is loaded into memory by the OS and executed. Alternatively, 
the OS is notified of a failed authorization attempt and object 608 is discarded in step 
1 024 if there is no entitlement to use the object 608. 

Although not express above, the authorization of level four is typically 
performed coincident with the authentication of level three and before an object 608 is 
loaded. Authorization is performed prior to authentication because authorization is a 
quicker process. After the performance of authentication and authprization, the status 
returned to the OS is NOT AUTHORIZED, AUTHORIZED BUT NOT 
AUTHENTICATED, or AUTHORIZED AND AUTHENTICATED. 

With reference to Fig. 1 1, a flow diagram of an embodiment of a process 
for checking continuously running objects in a fifth security level is depicted. As can be 
appreciated, objects that are running should also be authenticated to be sure they haven't 
been replaced or modified. Additionally, verifying authorization periodically allows the 
expiration of an application that has been continuously running for a period of time. A 
predetermined period can be used or an unpredictably changing period can also be used. 

The process begins in step 1 104 where the object 608 is read from the 
memory 228. Before loading the object 608 it has a first signature, but after loading the 
object 608 into memory 228 the signature of the loaded object is different. As those 
skilled in the art appreciate, the addresses are translated from virtual addressing to 
physical addressing such that the signature changes. Accordingly, the signature is 
recalculated in step 1108 to produce a second signature indicative of the loaded object. It 
is noted, the object should be loaded and maintained in memory 228 in such a way that 
the second signature does not change. For example, the loaded object should not have 
self-modifying code such that the signature would change. 
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- embodiments could use crippled demonstration software that can run forever, but is 
missing crucial features present in the purchased version. If the user likes the crippled 
version, the user is likely to purchase the full version to get the missing crucial features. 

With reference to Fig. 13, an embodiment of a process for monitoring 
5 security checks in security level seven is depicted in flow diagram form. In this 
embodiment the ACP 240 shadows the OS to double-check that checkpoints are 
encountered regularly. The process begins in step 1304 where the time of the last OS 
checkpoint is recorded. Checkpoints are the predetermined places in the OS or other 
software that cause confirmation of authentication and/or authorization confirmations. 
10 Since the ACP 240 is typically involved in the authentication and authorization process, 
the ACP 240 can track execution of checkpoints. In step 1308, the countdown timer is 
started. We note once again that this counter could also count-up rather than down. 

In step 1 3 12, a determination is made as to whether a checkpoint was 
observed by the ACP 240. If a checkpoint was observed, processing loops back to step 
15 1304 where the countdown timer is reset so as to start again from the beginning. 

Alternatively, a check of the timer is performed in step 1 3 16 if no checkpoint is observed. 
If the counter has not expired, processing loops back to step 1 3 12 to test once again for 
the observation of a checkpoint. When the timer does expire without reaching a 
checkpoint, processing continues to step 1 320 where the ACP 240 reports an error back to 

20 the headend 104. 

Although the above embodiment discusses testing for checkpoints on a 
single object 608, it is to be understood that testing for checkpoints may occur for each 
object 608 in the set top box 108 in the manner described above. Custom criteria may be 
designed for each object 608 in order to detect errors in the execution of that object 608. 
25 Additionally, we note a trusted or secure operating system normally does not need an 

ACP 240 to check for aberrant behavior. To thwart hackers, pirates, viruses, and memory 
errors, checking for normal functioning of the operating system (i.e., check for regular ■ 
checkpoints) adds an extra layer of security. 

Referring next to Fig. 14, a flow diagram of an embodiment of a process 
30 for using tokens to achieve an eighth level of security is shown. This embodiment uses a 
• ciphertext token to check authorization of an object 608. The ciphertext token is an 
encrypted portion of the object crucial to normal operation. Decryption of the ciphertext 
token produces a plaintext token that is inserted into the object 608 to allow proper 
execution. 
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whenever the data in the file is accessed. An HTML object 1528 is reviewed as part of a 
checkpoint whenever the HTML obj ect 1 528 is interpreted by a browser application 
1516. 

In light of the above description, a number of advantages of the present 
invention are readily apparent. Having multiple checkpoints that check authorization 
and/or authentication provides tighter security. With this added security, cable TV pirates 
are less likely to steal objects, viruses are less likely to go unnoticed and hackers are more 

likely to be detected. 

A number of variations and modifications of the invention can also be 
used. For example, the above discussion talks of multiple levels of security. It is to be 
understood that the levels can be combined together to achieve the security goals of a 
particular system. Additionally, the above embodiments relate to cable TV providers, 
however, the principals are equally applicable to satellite TV systems, Internet service 
providers, computer systems, and other providers of content. 

The above embodiments discuss several pricing methods for objects. 
Other embodiments could have one price on the first use and periodically require 
additional maintenance payments. Further, pricing could be per use with additional 
amounts per feature. For example, launching the email program is one price and printing 
each email adds an additional amount. Further still, videos could have a lifetime equal to 
just less than twice the running time to allow pausing and stopping playback, but not 
allow viewing the program two times. Video games could have a set lifetime of one hour 

or one day, for example. 

Although the invention is described with reference to specific 
embodiments thereof, the embodiments are merely illustrative, and not limiting, of the 
invention, the scope of which is to be determined solely by the appended claims. 
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7. The method for securing information of claim 6, wherein the step 
of authenticating the application includes decryption of at least a portion of the 
information. 

8. The method for securing information of claim 1 , further comprising 

steps of: 

receiving first authorization information; 

receiving second authorization information that replaces the first 
authorization information so as to extend authorization rights. 

9. The method for securing information of claim 1 , the method further 

comprising steps of: 

identifying a checkpoint during application execution; and 

performing at least one of authentication and authorization in response to 

the uncovering step. 

1 10. A content delivery system, comprising: 

2 a memory that stores content; 
a network port that receives content; and 

4 a plurality of checkpoints in software, wherein each piece of content is 

subject to at least two checkpoints . 

1 1 1 . The content delivery system of claim 10, wherein each of the 

2 plurality of checkpoints initiate at least one of authentication and authorization. • 

1 1 2. The content delivery system of claim 1 0, wherein the content 

2 comprises at least one of: software, drivers, firmware, video, audio, and data. 

1 13. The content delivery system of claim 1 0, further comprising a 

2 content provider coupled to the network port. 

1 1 4. The content delivery system of claim 10, further comprising an 

2 access control processor that performs at least one of the following: authentication and 

3 authorization. 
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6 authenticating the content a second time when the content is accessed 

7 within the conditional access set top box. 

1 22. The method for authenticating and authorizing objects of claim 21 , 

2 wherein the content comprises one of an object and-a resource. 

1 23. The method for authenticating and authorizing objects of claim 21 , 

2 wherein the conditional access set top box is integrated into an image displaying 

3 apparatus. 
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